[
https://issues.apache.org/jira/browse/HADOOP-9421?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13669511#comment-13669511
]
Luke Lu commented on HADOOP-9421:
---------------------------------
bq. This is our last shot for a long time to make RPC changes, so we should
make it as flexible as possible.
Agreed. But your proposal/patch actually makes it less flexible by making SASL
depending on RPC engine implementation details.
bq. SASL should ideally be a detail of RPC calls instead of only an initial
connection detail (important for following points)
My latest proposal decoupled the session concept from the underlying
connection. By making the session explicit, you can have a more powerful and
less leaky abstraction to handle all your use cases in a cleaner fashion.
bq. Server should be able to issue SASL challenges mid-stream, perhaps after a
connection has been open for an extended time, or to allow restricted
super-user operations like chown
This can be easily supported by simply close the session (with the connection
remain open), and restart the session.
bq. Out of band SASL auth (not distinguishable from actual RPC calls) precludes
multiplexing multiple UGIs over a single connection - a concept y! has
internally contemplated.
SASL exchange could be much more expensive than typical RPC calls. Multiplexing
multiple UGI over a single connection doesn't require per call SASL, which is
an incredibly inefficient way of achieving the goal. A reasonable way to do it
would be opening a proxy user session and add an optional user field per call
to allow efficient multiple secure impersonation per call over the same
session. Again the session concept is general enough to support per call SASL
as well by optionally close the session per call. The session concept gives you
the flexibility of amortizing the cost of SASL over multiple RPCs.
bq. If different serializations are ever supported, we can change SASL at that
time.
This one of the major flaws of your proposal. We want to be able to support
multiple RPC engines at the same time in the future to allow parallel
development/deployment of RPC engines. We don't want to implement SASL again
for each RPC engine.
> Convert SASL to use ProtoBuf and add lengths for non-blocking processing
> ------------------------------------------------------------------------
>
> Key: HADOOP-9421
> URL: https://issues.apache.org/jira/browse/HADOOP-9421
> Project: Hadoop Common
> Issue Type: Sub-task
> Affects Versions: 2.0.3-alpha
> Reporter: Sanjay Radia
> Assignee: Daryn Sharp
> Attachments: HADOOP-9421.patch, HADOOP-9421.patch,
> HADOOP-9421-v2-demo.patch
>
>
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
